- Knowledge Base
- Microsoft Azure
- Front Door
- Enable Web Application Firewall for Front Door Profiles
Ensure that Web Application Firewall (WAF) security policies are enabled for your Microsoft Azure Front Door profiles in order to protect your applications from common exploits and vulnerabilities, keep your service available, and help you meet compliance requirements.
Security Azure Web Application Firewall (WAF) provides centralized protection of your web applications from common threats such as SQL injections, Cross Site Scripting (XSS), and local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other HTTP(S) parameters via custom rules using the firewall service.
Audit
To determine if Web Application Firewall (WAF) policies are enabled for your Azure Front Door profiles, perform the following operations:
Using Azure Console
01 Sign in to the Azure Management Console.
02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.
04 From the Type equalls all filter box, choose Equals, select Front Door and CDN profile, and choose Apply to list only the Azure Front Door and CDN profiles available in the selected subscription.
05 Click on the name (link) of the Front Door and CDN profile that you want to examine.
06 In the resource navigation panel, under Security, select Security policies.
07 On the Security policies listing page, check for any active Web Application Firewall (WAF) security policies defined for the selected profile. An active WAF security policy has the Provisioning state set to Succeeded. If there are no active WAF security policies listed on this page, Azure Web Application Firewall (WAF) is not enabled for the selected Microsoft Azure Front Door profile.
08 Repeat steps no. 5 – 7 for each Azure Front Door profile deployed in the selected Azure subscription.
09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run afd profile list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Front Door and CDN profile available in the current subscription:
az afd profile list
--output table
--query '[*].{name:name, resourceGroup:resourceGroup}'
02 The command output should return the requested profile identifiers:
Name ResourceGroup ----------------- ------------------------------ tm-project5-cdn cloud-shell-storage-westeurope tm-web-portal-cdn cloud-shell-storage-westeurope
03 Run afd security-policy list command (Windows/macOS/Linux) with the name of the Azure Front Door and CDN profile that you want to examine and its associated resource group as the identifier parameters, to list the name and the provisioning state of each WAF security policy defined for the selected profile:
az afd security-policy list
--profile-name tm-project5-cdn
--resource-group cloud-shell-storage-westeurope
--query '[].{"name":name,"provisioningState":provisioningState}'
04 The command output should return the requested resource information:
[]
If the afd security-policy list command output returns an empty array, i.e. [], there are no WAF security policies defined for the selected Azure Front Door profile. If the command output returns one or more security policies, check the "provisioningState" attribute value to determine the policy status. If the "provisioningState" is not set to "Succeeded", the security policy is not active, therefore, Azure Web Application Firewall (WAF) is not enabled for the selected Microsoft Azure Front Door profile.
05 Repeat steps no. 3 and 4 for each Azure Front Door profile available within the current Azure subscription.
06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.
Remediation / Resolution
To enable Web Application Firewall (WAF) support for your Microsoft Azure Front Door profiles, perform the following operations:
Using Azure Console
01 Sign in to the Azure Management Console.
02 Navigate to All resources blade at https://portal.azure.com/#browse/all to access all your Microsoft Azure cloud resources.
03 Choose the Azure subscription that you want to access from the Subscription equalls all filter box and choose Apply.
04 From the Type equalls all filter box, choose Equals, select Front Door and CDN profile, and choose Apply to list only the Azure Front Door and CDN profiles available in the selected subscription.
05 Click on the name (link) of the Front Door and CDN profile that you want to configure.
06 In the resource navigation panel, under Security, select Security policies.
07 On the Security policies page, choose Add, and perform the following actions to create a new security policy for your profile. A security policy includes a Web Application Firewall (WAF) policy and one or more domains to provide centralized protection for your web application:
- For Name, provide a unique name for your new security policy.
- For Domains, choose the domain(s) that you want to protect with Azure Web Application Firewall (WAF).
- For WAF Policy, choose Create New to create the Web Application Firewall (WAF) policy that will integrate with your security policy. Enter a name for the WAF policy in the Name box, check the Add bot protection checkbox for protection against malicious bots, then choose Create to deploy your WAF policy. The WAF policy provides protection for OWASP top 10 vulnerabilities, including bot protection.
- Choose Save to apply the changes. This will enable Web Application Firewall (WAF) support for the selected Azure Front Door profile.
08 Repeat steps no. 5 – 7 for each Azure Front Door profile that you want to configure, deployed in the selected Azure subscription.
09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.
Using Azure CLI
01 Run network front-door waf-policy create command (Windows/macOS/Linux) to create a Web Application Firewall (WAF) policy for your Azure Front Door profile. This will protect your web application from common exploits and vulnerabilities, keep your service available, and help you meet compliance requirements. The WAF policy must be of the same tier as your Front Door profile:
az network front-door waf-policy create --name FrontDoorWafPolicy --resource-group cloud-shell-storage-westeurope --sku Premium_AzureFrontDoor --location Global --mode Prevention
02 The command output should return the configuration information available for the new WAF policy:
{
"customRules": {
"rules": []
},
"frontendEndpointLinks": [],
"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/FrontDoorWafPolicy",
"location": "Global",
"managedRules": {
"managedRuleSets": []
},
"name": "FrontDoorWafPolicy",
"policySettings": {
"enabledState": "Enabled",
"javascriptChallengeExpirationInMinutes": 30,
"mode": "Prevention",
"requestBodyCheck": "Enabled"
},
"provisioningState": "Succeeded",
"resourceGroup": "cloud-shell-storage-westeurope",
"resourceState": "Enabled",
"securityPolicyLinks": [],
"sku": {
"name": "Premium_AzureFrontDoor"
},
"tags": {},
"type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies"
}
03 Run network front-door waf-policy managed-rules add command (Windows/macOS/Linux) to add one or more managed rules set to your new Web Application Firewall (WAF) policy. The following command example adds the Microsoft_DefaultRuleSet managed rule set, version 2.1, with the default action set to Block:
az network front-door waf-policy managed-rules add --policy-name FrontDoorWafPolicy --resource-group cloud-shell-storage-westeurope --type Microsoft_DefaultRuleSet --version 2.1 --action Block
04 The command output should return the configuration information available for the configured WAF policy:
{
"customRules": {
"rules": []
},
"etag": null,
"frontendEndpointLinks": [],
"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/FrontDoorWafPolicy",
"location": "Global",
"managedRules": {
"managedRuleSets": [
{
"exclusions": [],
"ruleGroupOverrides": [],
"ruleSetAction": "Block",
"ruleSetType": "Microsoft_DefaultRuleSet",
"ruleSetVersion": "2.1"
}
]
},
"name": "FrontDoorWafPolicy",
"policySettings": {
"customBlockResponseBody": null,
"customBlockResponseStatusCode": null,
"enabledState": "Enabled",
"javascriptChallengeExpirationInMinutes": 30,
"mode": "Prevention",
"redirectUrl": null,
"requestBodyCheck": "Enabled",
"scrubbingRules": null,
"state": null
},
"provisioningState": "Succeeded",
"resourceGroup": "cloud-shell-storage-westeurope",
"resourceState": "Enabled",
"routingRuleLinks": null,
"securityPolicyLinks": [],
"sku": {
"name": "Premium_AzureFrontDoor"
},
"tags": {},
"type": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies"
}
05 Run afd security-policy create command (Windows/macOS/Linux) to create the Azure Front Door profile security policy that will integrate your new WAF policy. Use the --domains parameter to specify the domains to provide centralized protection for your web application:
az afd security-policy create --profile-name tm-project5-cdn --resource-group cloud-shell-storage-westeurope --security-policy-name tm-project5-cdn-sec-policy --domains "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Cdn/profiles/tm-project5-cdn/afdendpoints/tm-project5-endpoint" --waf-policy "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/FrontDoorWafPolicy"
06 The command output should return the configuration information available for the new security policy:
{
"deploymentStatus": "NotStarted",
"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Cdn/profiles/tm-project5-cdn/securitypolicies/tm-project5-cdn-sec-policy",
"name": "tm-project5-cdn-sec-policy",
"parameters": {
"associations": [
{
"domains": [
{
"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Cdn/profiles/tm-project5-cdn/afdendpoints/tm-project5-endpoint",
"isActive": true,
"resourceGroup": "cloud-shell-storage-westeurope"
}
],
"patternsToMatch": [
"/*"
]
}
],
"type": "WebApplicationFirewall",
"wafPolicy": {
"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/frontdoorwebapplicationfirewallpolicies/FrontDoorWafPolicy",
"resourceGroup": "cloud-shell-storage-westeurope"
}
},
"provisioningState": "Succeeded",
"resourceGroup": "cloud-shell-storage-westeurope",
"type": "Microsoft.Cdn/profiles/securitypolicies"
}
07 Repeat steps no. 5 and 6 for each Azure Front Door profile that you want to configure, available within the current subscription.
08 Repeat steps no. 1 – 7 for each subscription created in your Microsoft Azure cloud account.
References
- Azure Official Documentation
- What is Azure Web Application Firewall?
- Tutorial: Create a WAF policy on Azure Front Door by using the Azure portal
- Azure Command Line Interface (CLI) Documentation
- az afd profile list
- az afd security-policy list
- az network front-door waf-policy create
- az network front-door waf-policy managed-rules add
- az afd security-policy create